@chemmangat/msal-next 5.0.0 → 5.1.0

package/dist/index.js

@@ -54,6 +54,8 @@ __export(client_exports, {
   useMsalAuth: () => useMsalAuth,
   useMultiAccount: () => useMultiAccount,
   useRoles: () => useRoles,
+  useTenant: () => useTenant,
+  useTenantConfig: () => useTenantConfig,
   useTokenRefresh: () => useTokenRefresh,
   useUserProfile: () => useUserProfile,
   validateConfig: () => validateConfig,
@@ -131,19 +133,44 @@ function createMsalConfig(config) {
     navigateToLoginRequestUrl = false,
     enableLogging = false,
     loggerCallback,
-    allowedRedirectUris
+    allowedRedirectUris,
+    multiTenant
   } = config;
   if (!clientId) {
     throw new Error("@chemmangat/msal-next: clientId is required");
   }
-  const getAuthority = () => {
+  const resolveAuthorityType = () => {
+    if (multiTenant?.type) {
+      switch (multiTenant.type) {
+        case "single":
+          if (!tenantId) {
+            throw new Error(
+              '@chemmangat/msal-next: tenantId is required when multiTenant.type is "single"'
+            );
+          }
+          return tenantId;
+        case "multi":
+        case "common":
+          return "common";
+        case "organizations":
+          return "organizations";
+        case "consumers":
+          return "consumers";
+      }
+    }
     if (authorityType === "tenant") {
       if (!tenantId) {
-        throw new Error('@chemmangat/msal-next: tenantId is required when authorityType is "tenant"');
+        throw new Error(
+          '@chemmangat/msal-next: tenantId is required when authorityType is "tenant"'
+        );
       }
-      return `https://login.microsoftonline.com/${tenantId}`;
+      return tenantId;
     }
-    return `https://login.microsoftonline.com/${authorityType}`;
+    return authorityType;
+  };
+  const getAuthority = () => {
+    const resolved = resolveAuthorityType();
+    return `https://login.microsoftonline.com/${resolved}`;
   };
   const defaultRedirectUri = typeof window !== "undefined" ? window.location.origin : "http://localhost:3000";
   const finalRedirectUri = redirectUri || defaultRedirectUri;
@@ -764,6 +791,31 @@ function useMsalAuth(defaultScopes = ["User.Read"]) {
     instance.setActiveAccount(null);
     await instance.clearCache();
   }, [instance]);
+  const acquireTokenForTenant = (0, import_react.useCallback)(
+    async (tenantId, scopes) => {
+      if (!account) {
+        throw new Error("[MSAL] No active account. Please login first.");
+      }
+      try {
+        const response = await instance.acquireTokenSilent({
+          scopes,
+          account,
+          authority: `https://login.microsoftonline.com/${tenantId}`,
+          forceRefresh: false
+        });
+        return response.accessToken;
+      } catch (error) {
+        const msalError = wrapMsalError(error);
+        if (process.env.NODE_ENV === "development") {
+          console.error(msalError.toConsoleString());
+        } else {
+          console.error("[MSAL] Cross-tenant token acquisition failed:", msalError.message);
+        }
+        throw msalError;
+      }
+    },
+    [instance, account]
+  );
   return {
     account,
     accounts,
@@ -774,7 +826,8 @@ function useMsalAuth(defaultScopes = ["User.Read"]) {
     acquireToken,
     acquireTokenSilent,
     acquireTokenRedirect,
-    clearSession
+    clearSession,
+    acquireTokenForTenant
   };
 }
 
@@ -863,6 +916,86 @@ function TokenRefreshManager({
   return null;
 }
 
+// src/utils/tenantValidator.ts
+function getTenantDomain(account) {
+  const upn = account.username || account.idTokenClaims?.preferred_username || account.idTokenClaims?.upn || "";
+  return upn.includes("@") ? upn.split("@")[1].toLowerCase() : null;
+}
+function getTenantId(account) {
+  return account.tenantId || account.idTokenClaims?.tid || null;
+}
+function matchesTenant(value, tenantId, tenantDomain) {
+  const v = value.toLowerCase();
+  if (tenantId && v === tenantId.toLowerCase()) return true;
+  if (tenantDomain && v === tenantDomain.toLowerCase()) return true;
+  return false;
+}
+function isGuestAccount(account) {
+  const claims = account.idTokenClaims ?? {};
+  const resourceTenantId = account.tenantId || claims["tid"] || null;
+  const issuer = claims["iss"] || null;
+  if (!issuer || !resourceTenantId) return false;
+  const match = issuer.match(
+    /https:\/\/login\.microsoftonline\.com\/([^/]+)(?:\/|$)/i
+  );
+  if (!match) return false;
+  const homeTenantId = match[1];
+  return homeTenantId.toLowerCase() !== resourceTenantId.toLowerCase();
+}
+function validateTenantAccess(account, config) {
+  const tenantId = getTenantId(account);
+  const tenantDomain = getTenantDomain(account);
+  const claims = account.idTokenClaims ?? {};
+  if (config.blockList && config.blockList.length > 0) {
+    const blocked = config.blockList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (blocked) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is blocked from accessing this application.`
+      };
+    }
+  }
+  if (config.allowList && config.allowList.length > 0) {
+    const allowed = config.allowList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (!allowed) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is not in the allowed list for this application.`
+      };
+    }
+  }
+  if (config.requireType) {
+    const isGuest = isGuestAccount(account);
+    if (config.requireType === "Member" && isGuest) {
+      return {
+        allowed: false,
+        reason: "Only member accounts are allowed. Guest (B2B) accounts are not permitted."
+      };
+    }
+    if (config.requireType === "Guest" && !isGuest) {
+      return {
+        allowed: false,
+        reason: "Only guest (B2B) accounts are allowed."
+      };
+    }
+  }
+  if (config.requireMFA) {
+    const amr = claims["amr"] || [];
+    const hasMfa = amr.includes("mfa") || amr.includes("ngcmfa") || amr.includes("hwk") || amr.includes("swk");
+    if (!hasMfa) {
+      return {
+        allowed: false,
+        reason: "Multi-factor authentication (MFA) is required to access this application."
+      };
+    }
+  }
+  return { allowed: true };
+}
+
 // src/components/MsalAuthProvider.tsx
 var import_jsx_runtime = require("react/jsx-runtime");
 var globalMsalInstance = null;
@@ -875,6 +1008,7 @@ function MsalAuthProvider({
   onInitialized,
   autoRefreshToken = false,
   refreshBeforeExpiry = 300,
+  onTenantDenied,
   ...config
 }) {
   const [msalInstance, setMsalInstance] = (0, import_react3.useState)(null);
@@ -904,6 +1038,22 @@ function MsalAuthProvider({
             }
             if (response.account) {
               instance.setActiveAccount(response.account);
+              if (config.multiTenant) {
+                const validation = validateTenantAccess(response.account, config.multiTenant);
+                if (!validation.allowed) {
+                  try {
+                    await instance.logoutRedirect({ account: response.account });
+                  } catch {
+                  }
+                  const reason = validation.reason || "Tenant access denied.";
+                  if (onTenantDenied) {
+                    onTenantDenied(reason);
+                  } else {
+                    console.error("[MSAL] Tenant access denied:", reason);
+                  }
+                  return;
+                }
+              }
             }
             if (window.location.hash) {
               window.history.replaceState(null, "", window.location.pathname + window.location.search);
@@ -1003,8 +1153,12 @@ function MsalAuthProvider({
 var import_react4 = require("react");
 var import_jsx_runtime2 = require("react/jsx-runtime");
 var ProtectionConfigContext = (0, import_react4.createContext)(void 0);
-function MSALProvider({ children, protection, ...props }) {
-  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(ProtectionConfigContext.Provider, { value: protection, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(MsalAuthProvider, { ...props, children }) });
+var TenantConfigContext = (0, import_react4.createContext)(void 0);
+function useTenantConfig() {
+  return (0, import_react4.useContext)(TenantConfigContext);
+}
+function MSALProvider({ children, protection, onTenantDenied, ...props }) {
+  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(ProtectionConfigContext.Provider, { value: protection, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(TenantConfigContext.Provider, { value: props.multiTenant, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(MsalAuthProvider, { ...props, onTenantDenied, children }) }) });
 }
 
 // src/components/MicrosoftSignInButton.tsx
@@ -2419,8 +2573,48 @@ function AccountList({
   }) });
 }
 
-// src/hooks/useRoles.ts
+// src/hooks/useTenant.ts
 var import_react13 = require("react");
+function useTenant() {
+  const { account, isAuthenticated } = useMsalAuth();
+  const tenantInfo = (0, import_react13.useMemo)(() => {
+    if (!account) {
+      return {
+        tenantId: null,
+        tenantDomain: null,
+        isGuestUser: false,
+        homeTenantId: null,
+        resourceTenantId: null,
+        claims: null
+      };
+    }
+    const claims = account.idTokenClaims ?? {};
+    const resourceTenantId = account.tenantId || claims["tid"] || null;
+    const issuer = claims["iss"] || null;
+    let homeTenantId = null;
+    if (issuer) {
+      const match = issuer.match(
+        /https:\/\/login\.microsoftonline\.com\/([^/]+)(?:\/|$)/i
+      );
+      if (match) homeTenantId = match[1];
+    }
+    const isGuestUser = !!homeTenantId && !!resourceTenantId && homeTenantId.toLowerCase() !== resourceTenantId.toLowerCase();
+    const upn = account.username || claims["preferred_username"] || claims["upn"] || "";
+    const tenantDomain = upn.includes("@") ? upn.split("@")[1] : null;
+    return {
+      tenantId: resourceTenantId,
+      tenantDomain,
+      isGuestUser,
+      homeTenantId,
+      resourceTenantId,
+      claims
+    };
+  }, [account]);
+  return { ...tenantInfo, isAuthenticated };
+}
+
+// src/hooks/useRoles.ts
+var import_react14 = require("react");
 var rolesCache = /* @__PURE__ */ new Map();
 var CACHE_DURATION2 = 5 * 60 * 1e3;
 var MAX_CACHE_SIZE2 = 100;
@@ -2442,11 +2636,11 @@ function enforceCacheLimit2() {
 function useRoles() {
   const { isAuthenticated, account } = useMsalAuth();
   const graph = useGraphApi();
-  const [roles, setRoles] = (0, import_react13.useState)([]);
-  const [groups, setGroups] = (0, import_react13.useState)([]);
-  const [loading, setLoading] = (0, import_react13.useState)(false);
-  const [error, setError] = (0, import_react13.useState)(null);
-  const fetchRolesAndGroups = (0, import_react13.useCallback)(async () => {
+  const [roles, setRoles] = (0, import_react14.useState)([]);
+  const [groups, setGroups] = (0, import_react14.useState)([]);
+  const [loading, setLoading] = (0, import_react14.useState)(false);
+  const [error, setError] = (0, import_react14.useState)(null);
+  const fetchRolesAndGroups = (0, import_react14.useCallback)(async () => {
     if (!isAuthenticated || !account) {
       setRoles([]);
       setGroups([]);
@@ -2489,31 +2683,31 @@ function useRoles() {
       setLoading(false);
     }
   }, [isAuthenticated, account, graph]);
-  const hasRole = (0, import_react13.useCallback)(
+  const hasRole = (0, import_react14.useCallback)(
     (role) => {
       return roles.includes(role);
     },
     [roles]
   );
-  const hasGroup = (0, import_react13.useCallback)(
+  const hasGroup = (0, import_react14.useCallback)(
     (groupId) => {
       return groups.includes(groupId);
     },
     [groups]
   );
-  const hasAnyRole = (0, import_react13.useCallback)(
+  const hasAnyRole = (0, import_react14.useCallback)(
     (checkRoles) => {
       return checkRoles.some((role) => roles.includes(role));
     },
     [roles]
   );
-  const hasAllRoles = (0, import_react13.useCallback)(
+  const hasAllRoles = (0, import_react14.useCallback)(
     (checkRoles) => {
       return checkRoles.every((role) => roles.includes(role));
     },
     [roles]
   );
-  (0, import_react13.useEffect)(() => {
+  (0, import_react14.useEffect)(() => {
     fetchRolesAndGroups();
     return () => {
       if (account) {
@@ -2811,7 +3005,7 @@ function createScopedLogger(scope, config) {
 }
 
 // src/protection/ProtectedPage.tsx
-var import_react14 = require("react");
+var import_react15 = require("react");
 var import_navigation = require("next/navigation");
 var import_jsx_runtime12 = require("react/jsx-runtime");
 function ProtectedPage({
@@ -2824,9 +3018,10 @@ function ProtectedPage({
 }) {
   const router = (0, import_navigation.useRouter)();
   const { isAuthenticated, account, inProgress } = useMsalAuth();
-  const [isValidating, setIsValidating] = (0, import_react14.useState)(true);
-  const [isAuthorized, setIsAuthorized] = (0, import_react14.useState)(false);
-  (0, import_react14.useEffect)(() => {
+  const tenantInfo = useTenant();
+  const [isValidating, setIsValidating] = (0, import_react15.useState)(true);
+  const [isAuthorized, setIsAuthorized] = (0, import_react15.useState)(false);
+  (0, import_react15.useEffect)(() => {
     async function checkAuth() {
       if (debug) {
         console.log("[ProtectedPage] Checking auth...", {
@@ -2867,6 +3062,17 @@ function ProtectedPage({
           return;
         }
       }
+      if (config.tenant && account) {
+        const tenantResult = validateTenantAccess(account, config.tenant);
+        if (!tenantResult.allowed) {
+          if (debug) {
+            console.log("[ProtectedPage] Tenant validation failed:", tenantResult.reason);
+          }
+          setIsAuthorized(false);
+          setIsValidating(false);
+          return;
+        }
+      }
       if (config.validate) {
         try {
           const isValid = await config.validate(account);
@@ -2892,7 +3098,7 @@ function ProtectedPage({
       setIsValidating(false);
     }
     checkAuth();
-  }, [isAuthenticated, account, inProgress, config, router, defaultRedirectTo, debug]);
+  }, [isAuthenticated, account, inProgress, config, router, defaultRedirectTo, debug, tenantInfo]);
   if (isValidating || inProgress) {
     if (config.loading) {
       return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(import_jsx_runtime12.Fragment, { children: config.loading });
@@ -2947,6 +3153,8 @@ function createAuthMiddleware(config = {}) {
     redirectAfterLogin = "/",
     sessionCookie = "msal.account",
     isAuthenticated: customAuthCheck,
+    tenantConfig,
+    tenantDeniedPath = "/unauthorized",
     debug = false
   } = config;
   return async function authMiddleware(request) {
@@ -2979,6 +3187,30 @@ function createAuthMiddleware(config = {}) {
       url.searchParams.set("returnUrl", pathname);
       return import_server.NextResponse.redirect(url);
     }
+    if (isProtectedRoute && authenticated && tenantConfig) {
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account) {
+            const tenantResult = validateTenantAccess(account, tenantConfig);
+            if (!tenantResult.allowed) {
+              if (debug) {
+                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
+              }
+              const url = request.nextUrl.clone();
+              url.pathname = tenantDeniedPath;
+              url.searchParams.set("reason", tenantResult.reason || "access_denied");
+              return import_server.NextResponse.redirect(url);
+            }
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Tenant validation error:", error);
+        }
+      }
+    }
     if (isPublicOnlyRoute && authenticated) {
       if (debug) {
         console.log("[AuthMiddleware] Redirecting to home");
@@ -3047,6 +3279,8 @@ var import_msal_react4 = require("@azure/msal-react");
   useMsalAuth,
   useMultiAccount,
   useRoles,
+  useTenant,
+  useTenantConfig,
   useTokenRefresh,
   useUserProfile,
   validateConfig,